Unfortunately, Symantec caught only the driver file, not the shell code, installation code, main drivers and configuration file. The fragment verifies that a new version with significant new capabilities is loose in the wild, but doesn't provide any information on the names or locations of the command-and-control servers that give the malware its orders and send it new configuration or installation modules to match conditions the loader finds.

Symantec and Kaspersky researchers were able to find C&C servers for the previous versions of Duqu; they were shut down in October, 2011.

Duqu is a new piece of software apparently developed using the same development tools as Stuxnet – a Trojan Horse designed specifically to infect and sabotage sensitive equipment used in nuclear-fuel-refinement facilities in Iran.

While similar in many ways, Duqu's purpose is not sabotage but espionage. The C&C servers that supply its orders can direct Duqu much more precisely at picked targets than is usual for viruses, and alter it so gather different types of information.

Why is Duqu unique?

Duqu differs from most malware in the flexibility of its modular design, which makes it more a malware framework than a simple virus or Trojan.

The main Trojan module includes a kernel driver responsible for penetrating a machine's security, a DLL library that communicates with C&C servers, configures other modules and runs executable code, and a configuration file with instructions on how to do all that.

There is also a keylogger designed to capture data from the initial victim as well as any Duqu seeks out on an infected network.

Duqu is hard to identify because its configuration changes drastically from one infection to another. When it was first discovered there were at least 13 driver files that could use different methods and signatures to penetrate new systems. Each installation used different checksums and file names.

It's not clear from either the victims or Duqu's methods who its specific targets are or what information its authors are after.

Using feedback from discussions on Reddit, Sourceforge and other public-discussion forums, Kaspersky researchers concluded the Duqu code was most similar to the kind of work done by experienced "old school" programmers whose goal was to build an app that would run flawlessly on as many platforms as possible and respond intelligently to specific conditions it found there.

The command-and-control code may have been reused from a previously existing project and/or be built into the object-oriented programming framework set up to allow many programmers to work on the Duqu project simultaneously.

Overall it looked like the work of a professional team of developers, possibly with experience building software for complex civil engineering projects, not contemporary malware.

"All the conclusions indicate a rather professional team of developers, which appear to be reusing older code written by top “old school” developers," according to Kaspersky's analysis. "Such techniques are normally seen in professional software and almost never in today’s malware. Once again, these indicate that Duqu, just like Stuxnet, is a 'one of a kind' piece of malware which stands out like a gem from the large mass of “dumb” malicious program we normally see."

What to expect from Duqu

For all the detail from Symantec and Kaspersky, we still don't know much about the identity or intentions of Duqu developers.

We know it's designed to be used as something closer to fire-and-forget industrial espionage software than the large-scale cyberespionage projects attributed to the Chinese military, which depend on spear phishing emails to get a toehold in an organization, and malware to get permanent access.

That approach has been wildly successful, but requires far more manpower than the heavily automated Duqu.

As with previous versions of the malware "gem," there is no clear indication who the authors' targets may be or what specific information it seeks.

The only conclusion Symantec or Kaspersky researchers came to is that Duqu is still uniquely effective, uniquely changeable and under constant development to make it harder to identify, harder to stop and more effective when it does infect a new installation.

As with Stuxnet, Israel and the U.S. are the primary suspects, but so far there is no incontrovertible evidence indicating even a connection with Stuxnet, let alone a common ownership or set of targets.